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1 Introduction 



Modular, hierarchical methods for specifying reactive systems [13] include 
rules for composing and refining specifications (e.g., [9]). The form of the 
rules suggests a possible specification logic. In it, the propositions would 
be system specifications; the notations for combining specifications would 
become logical connectives; and the rules for composition and refinement 
would be formulated as sound inference rules. The logic would thereby 
provide a setting for the study of composition and refinement rules. It 
should also provide a framework for writing specifications and for verifying 
them using these rules. 

In this paper, we define and develop such a logic for composition. We intend 
to treat refinement in a second paper, and thereby complete a framework for 
the use of the modular specification methods that composition and refine- 
ment rules underpin. At that point it will be natural and useful to consider 
a formal logic; in this paper we prefer to work at the semantical level. (The 
treatment of refinement and the formal logic were sketched in a preliminary 
version of this paper [2].) 

In fact two logics of composition arise naturally. One of the logics is an 
intuitionistic logic, while the other one is linear [12]. In the intuitionistic 
logic, a specification is a set of allowed behaviors, as in [19, 6]. In the linear 
logic, a specification is a set of allowed processes, much as in the sense of 
Abrahamson [3]. 

Composition rules rules typically apply to safety properties, and also, some- 
times with significant complication, to certain liveness properties. Here we 
treat only safety properties. With this restriction, the logics provide a new 
understanding of some current specification methods, and suggest exten- 
sions. They are intended as a basis for Lamport's transition-axiom method 
for reactive systems [21]. 

A reactive system can be expected to operate correctly only when its envi- 
ronment operates correctly. For example, a concurrent program module can 
be expected to exhibit desirable behavior only when its inputs are of the 
proper types. But the environment cannot be required to operate correctly, 
and the system's obligations are void when the environment operates incor- 
rectly. An assumption-guarantee specification states that a reactive system 
satisfies a specification M if it operates in an environment that satisfies an 
assumption E; this specification is sometimes written E =>■ M . 
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A Composition Principle gives a way of combining assumption-guarantee 
specifications while discharging their assumptions [23, 24, 26, f]. A simple 
version of the principle, applied to two reactive systems p\ and p2, says: 

If pi satisfies M 2 M x 

and p2 satisfies Mi =>■ M2, 

then when they are run in parallel 

Pi satisfies Mi and pi satisfies Mi- 

As stated, the Composition Principle is not sound in general. The underlying 
propositional reasoning is obviously (and intriguingly) circular. 

However, the principle is sound when Mi and M2 are safety properties, and 
under some additional hypotheses. For instance, consider two processes p\ 
and P2 that communicate by the distributed integer variables x\ and x^\ it 
is assumed that only p\ writes x\ and that only pi writes xi- Let Mi be LL X\ 
never decreases" and M2 be the corresponding assertion for X2, and suppose 
that pi and pi satisfy M2 =>■ Mi and Mi =>■ M2, respectively. Then it is 
sound to conclude that Mi and M2 both hold, that is, that neither x\ nor 
X2 ever decreases. 

An important test for a logic of specifications is whether it can be used to 
express and to illuminate the Composition Principle. Both of our logics are 
designed to satisfy this criterion. For example, the intuitionistic formulation 
of the principle just given is: 

(M 2 -> Mi) A (Mi -> M 2 ) h Mi A M 2 

with a proviso to guarantee that Mi and M2 are specifications of separate 
processes. The logics can express also other variants of the Composition 
Principle; they serve in comparing these variants and, occasionally, in dis- 
covering new ones. 

As we consider only safety properties, which are closed sets, we obtain an 
intuitionistic logic. In this we follow Hennessy and Plotkin [16] and, less 
directly, Abramsky with his proposal of a general logic of open sets [4]. Par- 
allel composition can be represented by conjunction, as in works of Lamport 
and Pnueli. Both Dam [7] and Abramsky [27] pointed out that in general 
parallelism will give extra, quantalic structure. This indeed happens when 
we take specifications to be sets of processes, and then the logic of speci- 
fications is linear. Our work may yield some evidence for the relevance of 
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linear logic to concurrency. Other evidence can be found in work on Petri 
Nets (e.g., [22]) and testing equivalence [5]. 

We introduce our logics in Section 2. In Section 3 we develop the intuitionis- 
tic logic of safety properties of behaviors, treating also invariance under stut- 
tering. In Section 4 we develop the intuitionistic linear logic of safety prop- 
erties of processes. As well as the natural logical structure, a new connective 
is needed to formulate a Composition Principle in this setting. In Section 5 
we consider notions of testing for processes. We begin with an external no- 
tion, somewhat after the manner of De Nicola and Hennessy [10, 14], where 
the tests are not themselves processes in the model; then we obtain an in- 
ternal notion where they are. If we equate processes indistinguishable under 
testing we obtain a model of classical linear logic; this can also be obtained 
from the intuitionistic one as the collection of facts for a choice of _L re- 
lated to testing, following another suggestion of Abramsky [27]. Finally, in 
Section 6 we relate the intuitionistic logic with the intuitionistic linear logic 
showing how the latter can be regarded as an abstraction of the former. The 
reader may wish to consult [8, 17, 25] for information on partial orders, epos 
(complete partial orders), complete Heyting algebras, and quantales. 

2 Overview 

We review the basic propositional intuitionistic and linear calculi. We de- 
scribe the usual connectives, and motivate the addition of new constructs, 
which are needed in order to support the assumption-guarantee specification 
style. 

2.1 A calculus of sets of behaviors 

The intuitionistic logic is inspired by the work of Lamport, Pnueli, and 
others, where the specification of a system is a set of allowed behaviors. 
In turn, a behavior is a sequence of state transitions, and a state is an 
assignment of values to state components, or variables. Each state transition 
is attributed to an agent, the environment process or system process that 
caused the state change. Thus, a behavior is a sequence 

o\ a.2 a 3 

so — > s 1 — > s 2 — > . . . 
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where each s 4 - is a state and each a 4 - is an agent, and the sequence is either 
infinite or else ends in a state s m for some m > 0. 

The use of agents is motivated by the obvious need to distinguish between 
actions performed by the environment and those performed by the system. 
In any particular specification, it suffices to consider two agents: the envi- 
ronment and the system. However, it is preferable to allow arbitrary sets 
of agents, in order to ease the composition of specifications. Agents are 
taken as a primitive notion below, but this can be avoided, for example as 
in Pnueli's work [24]. 

Since we are concerned only with safety properties, we restrict attention to 
finite behaviors. A safety property is then a prefix-closed set of behaviors. In 
the logic, the propositions denote safety properties, and h simply stands for 
C. The collection of safety properties forms a complete Heyting algebra [17] 
and so the intuitionistic logical operations A, V, and — ► are available. The 
first two are intersection and union. 

Conjunction serves its usual logical role: a process p satisfies Mi AM2 if and 
only if it satisfies both Mi and Mi- Conjunction represents also parallel 
composition: if pi satisfies Mi and pi satisfies M2 then p\ and pi in parallel 
satisfy Mi A Mi- For instance, suppose that only p\ writes the variable 
x\, and it guarantees that x\ never decreases, and similarly for pi and 
X2; then the parallel composition of pi and pi guarantees that x\ never 
decreases and that xi never decreases. Further, disjunction corresponds to 
nondeterministic choice: if p\ satisfies Mi and pi satisfies M2 then a process 
that acts like either p\ or pi satisfies Mi V Mi- 

Implication turns out to be a familiar and handy operation: E M is 
the set of all behaviors that satisfy M for as long as they satisfy E, or 
longer. The connective — ► has arisen in works on the Composition Principle 
(in [1], and implicitly in [23] and [24]). Under reasonable hypotheses, the 
specifications E =>■ M and E M have the same implementations, and 
hence =>■ can be replaced with — The fact that the logical formulation 
naturally yields this connective is encouraging, as it suggests that the logic 
might be sensible and useful. 

The specification of a system cannot require the environment to work prop- 
erly, and so any environment action should be allowed. More precisely, if a 
property M is intended to specify the process represented by an agent (or 
set of agents) /i, then any prefix-minimal behavior not in M should end with 
a fj, state change. When this condition holds, we say that M constrains at 
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most fj,, and write M < fj,. 

With this notation, the Composition Principle reads: for any Mi and M 2 , 

(M 2 -> Mi) A (Mi M 2 ) h Mi A M 2 

provided Mi < fj,i, M 2 < /U 2 , and the sets ^1 and // 2 are disjoint. The proviso 
expresses the requirement that Mi and M 2 describe different processes. (The 
principle is not sound otherwise, for example if Mi and M 2 are the same.) 
Note how the logical approach obviates the need for explicit reference either 
to processes (as in [23, 24]) or to the realizable parts of properties (as in [1]). 

Many variants of the Composition Principle can be treated in this frame- 
work; for example, we easily obtain: 

E A M 2 h Ei E A Mi h E 2 
{E 1 Mi) A (E 2 M 2 ) h (E Mi A M 2 ) 

where M\<n\ and M 2 </2 2 . Some of these variants are well known, while oth- 
ers seem to be new. All of them can be proved equivalent using propositional 
reasoning and a few rules about the constrains relation. 

2.2 A calculus of sets of processes 

In the linear calculus, a proposition denotes a set of processes. We take a 
process to be a set of sequences of state pairs. Intuitively, a process that 
contains (si, t\) (s 2 , t 2 ) (S3, £3) ... can change the state from si to t\, and 
later from s 2 to t 2 , and later yet from S3 to £3, ... . 

In the study of safety, it suffices to consider finite sequences of state pairs. 
We require also that processes be prefix- closed. It turns out that the set of 
safety properties is isomorphic to the set of processes; thus, we may identify 
safety properties and processes. 

The logical operations A, V, and — ► are still meaningful. They arise as before 
from the complete Heyting algebra structure of the partial order of safety 
properties. 

The property Mi A M 2 allows the processes that are allowed by both Mi 
and M 2 ; conjunction does not have any particular relation with concur- 
rency. Disjunction corresponds to nondeterministic choice, as before. Fi- 
nally, Mi — ► M 2 includes the processes that behave like a process in M 2 for 
as long as they behave like a process in Mi (or longer). 
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Intuitionistic linear logic arises when we consider the parallel composition 
of two processes. The parallel composition of pi and pi is the set of shuffles 
of pi sequences with P2 sequences. At the level of specifications, this gives 
rise to a new logical operation, ®, which is the multiplicative conjunction in 
linear logic. A process satisfies Mi ® M2 if it is the parallel composition of 
an Mi process with an M2 process. Thus, if p\ satisfies Mi and pi satisfies 
M2 then the parallel composition of p\ and pi satisfies Mi ® M2. 

Associated with the connective ® is a linear implication operation, — o. The 
property Mi — o M2 is the largest N such that Mi ® N is a subset of Mi- 
Thus, p G Mi — o M2 if and only if the parallel composition of p with any 
q G Mi satisfies Mi- 

Conjunction and disjunction are then the additive connectives of linear logic. 
The exponential operator ! is trivial, but a nontrivial (•)* construct can be 
added to represent the parallel composition of a number of like processes. In 
the next subsection, we propose an interpretation of the classical constructs. 

The standard intuitionistic linear connectives do not suffice as a basis for 
assumption-guarantee specifications. In particular, p G E-oM is not equiv- 
alent to the desired "p satisfies M in any environment that satisfies E. v 
The assertion p G E — o M means only that the composition of p with any E 
process q is an M process. It is possible that q is not the whole environment 
of p — there could be a third process running in parallel; it is also possible 
that p does not satisfy M in this environment — the parallel composition of 
p and q does. 

To remedy this deficiency, we introduce a connective — 0. The property 
Mi — 0 M2 consists of the processes that, when run in parallel with an Mi 
process (and with nothing else), behave like M2 processes. The special case 
of Mi — 0 M2 where Mi contains only the null process 1 is of particular 
interest; {1} — 0 M is the set of all processes that behave like a process in 
M when run by themselves, with no interference from the environment. We 
denote this property by M°. 

Now the Composition Principle goes: 

(M 2 -0 Mi) ® (Mi -0 M 2 ) h (Mi ® M 2 )° 

This formula is valid in our model, without any additional proviso. As in 
the intuitionistic case, a number of variants of the Composition Principle 
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are available, and for example we have also the more general: 
E ® M 2 h E x E®M X V E 2 
(E 1 ^>M 1 )®(E 2 ^> M 2 ) h (E -o Mi ® M 2 ) 



2.3 Testing 

The linear logic described so far is an intuitionistic one. It does not include 
a constant _L that resembles falsehood, or a negation-like involution (•)' L . 
The notion of testing suggests useful _L and constructs, and gives rise 
to a different account of assumption-guarantee specifications. We can view 
the environment of a process as a tester for the process. Tests start from 
a distinguished state a; and another distinguished state (3 represents the 
result of successful tests. A process p passes the test of q if p and q may 
yield the state (3 when they run in parallel, starting from a, and q fails p 
otherwise. A process succeeds if it may yield (3 when it runs in isolation, 
starting from a, and it fails otherwise. Thus, p passes the test of q if the 
parallel composition of p and q succeeds. 

Failure is a safety property, and we write _L for the set of all processes 
that fail. A sort of negation can also be defined: M 1 is the set of all 
processes that fail M processes. Naturally, we are particularly interested in 
the propositions M such that M = (M 1 )- 1 , which are called facts. These 
are the specifications that have sound and complete testers; they can be 
characterized explicitly with a simple set of closure conditions. 

Certain expressions in this classical linear logic are reminiscent of assump- 
tion-guarantee specifications. In particular, (E AM 1 ) 1 is the set of processes 
that fail all of the tests that M processes fail, provided these tests are from 
E. In other words, (E A M 1 ) 1 includes all of the processes that cannot 
be distinguished from M processes in E environments (by E tests). It 
is analogous to the assumption-guarantee specification E =^ M , but the 
obvious analogues of the Composition Principle do not hold. 

A small correction solves this problem. Let 

E + = E U {u(s,/3) | u e E, s a state} 

The processes in E + behave like processes in E, except that they may pass 
the testee at any point. If E and M are facts, then 

E ^>M = (E + n M 1 ) 1 

and the expected Composition Principle follows. 
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3 Intuitionistic Logic 



The model that underlies the intuitionistic logic is a small variant of that 
used by Abadi and Lamport in [1]; we refer the reader to this and previous 
works for additional motivation. 

We assume a nonempty set of states, S, and a nonempty set of agents, A. 
These sets are disjoint. A behavior is an alternating finite sequence of states 
and agents that both begins and ends with a state. It can be pictured as: 

(11 (12 «3 (In 

so — > si — > s 2 — > . . — > s n 

where each s 4 - is a state and each a 4 - is an agent. We identify states with the 
corresponding one-element sequences. If a is a sequence, a an agent, and s a 
state, then a — —> s denotes the concatenation eras. The set of all behaviors 
is denoted by B. 

A safety property is a set of behaviors closed under prefixes. The set of 
all safety properties is denoted by Sb, and ordered by subset. It will be 
convenient to use the turnstile symbol h to denote the subset ordering. 
Safety properties, as we have defined them, are isomorphic to the safety 
properties of [1], for example, with the caveat that we have not yet treated 
invariance under stuttering. It is quite natural, and desirable, to add a 
straightforward condition of invariance under stuttering to our definitions, 
as first advocated by Lamport [20]. For simplicity, we do not do so at this 
point, but do give a full discussion below. 

The length \a\ of a behavior a is the number of agents that occur in a. 
If 0 < to < \a\ then a\ m is the prefix of a of length to; if to > |<r|, then 
a\ m = a. 

Proposition 1 Sb is a complete Heyting algebra, where A is Pi, V is {J, and 

the associated implication is 

Mi M 2 = {a | Vra > 0. if a\ n G M t then a\ n G M 2 } 

Proof As Sb is closed under finite intersections and arbitrary unions, the 
set-theoretic operations are the lattice-theoretic ones. For implication, note 
that 

Mi M 2 = {a | Vn > 0. a\ n G (5\Mi) U M 2 } 

and so it is the greatest safety property contained in the Boolean implica- 
tion. | 
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Hence, the algebra of safety properties is a model for intuitionistic logic. 
The next subsection discusses composition in this intuitionistic setting, and 
the following one adds the treatment of stuttering. 

3.1 Composition 

We say that the safety property M constrains at most the set of agents /i, 
and write M < fj,, if both: 

1. if s G S then s G M; and 

2. if a G M, s G S, and a G p, then <7 — % s G M. 

Note that if M < fj, then (N — ► M) < fj, for every N, and that if fj, C z/ and 
M < fj, then M < z/. The collection of safety properties that constrain at most 
fj, is closed under non-empty joins and finite meets. 

Further, let be the smallest superset of M that constrains at most fj,. 
The definition of "constrains at most," in the form of a monotone closure 
condition, guarantees that such an exists. In fact, a behavior in is 
either a behavior in M extended with arbitrary p steps, or simply a behavior 
that consists exclusively of p steps. So (-)^ is a monotone closure operation. 
It commutes with arbitrary non-empty joins, and also with finite meets. 

We are now in a position to formulate a version of the Composition Principle 
of [1] specialized to safety properties. If / is a set of states, we write I for the 
safety property {a \ a begins with an element of /}; such a safety property 
is an initial condition. 

Theorem 1 (Composition Principle) For n > 0 and i = l,n let m be 

sets of agents, let I{ and I be sets of states, and let Mi < m and E{ < pi. 
Suppose that I C 1^ and, for i = l,n, E A /\ • Mj A 1{ h E{. Then 

f\{U A E t ^ M t ) h / A E A Mi (1) 

i i 

Proof We show by induction on the length of a that, for i = 1, n, if a is in 
the set on the left-hand side and is also in I A E then it is in M 4 -. So pick a 
and an i between 1 and n. In case a has length zero, the result is immediate 
as Mi < m. Otherwise, a has the form a' —-^ s. By induction hypothesis, a' 
is in Mj, for j = 1, n. So if a ^ m, we get a G Mi as Mi < m. 
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We are left with the case where a £ m. As a £ I AE we get a 1 £ E Al{. But 
now, as a' £ /\ • Mj by the induction hypothesis, we get a' £ i^- (since, by 
assumption, E A /\ • Mj A h Ei) and so u £ i^- (as Ei < fn). So, finally, as 
we now have a £ Ii A E{ M{ and a £ A we get <7 £ M; as required. | 

The Composition Principle corresponds to that of [1] restricted to safety 
properties once stuttering is taken into account (but with somewhat weaker 
hypotheses). The principle is designed to be of direct use in applications. 
As such, it is rather complex, and we turn to finding simpler but equivalent 
versions. An immediate simplification is obtained by removing the initial 
conditions to obtain that if M; < m, Ei < fn, and E A /\; Mi h /\; Ei, then 

/\(E t M t ) \- E ^ /\M t (2) 

i i 

This is evidently a special case of the principle. It also implies the principle, 
as follows. Let us assume the hypotheses given in the statement of the 
Composition Principle. The remarks above on the < relation yield (Ii — ► 
Ei) < jli, and so we can substitute Ii Ei for Ei in (2), obtaining: 

Ei) — ► Mi) \~ E ^ /\ M t (3) 

i i 

But now, (1) follows from (3) and I h A;-^' by prepositional reasoning. (By 
that we mean that if we treat (1), (3), and / h Ii as sequents in a suitable 
intuitionistic calculus, regarding the E, Ei, Mi, I, Ii as propositional sym- 
bols, and A and — ► as logical connectives, then (1) can be derived from (3) 
and / h A 8 4) 

It is instructive to consider the case n = 1 which amounts to the fact that 
if E A Mi h Ei then (Ei — ► Mi) h (E — ► Mi). By propositional reasoning 
this is equivalent to the case where E = (Mi — ► Ei), which can be written 
as: 

(Ei ^ Mi) A (Mi ^ Ei) h Mi (Mi < fJl ,E 1 < p) (4) 

It turns out that the whole Composition Principle can be reduced to this 
case just using propositional reasoning. To show this, let us assume (4) and 
demonstrate the special case of the Composition Principle not involving 
initial conditions. We proceed by induction on n, with the base case having 
already been considered. For n > 1, assume that E A /\; M; h /\; Ei. Then 
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for any j (where 1 < j < n) we have: 

Ai(Ei -+ M t ) A E h (Ej -+ Mj) A A t ^(E t -+ M t ) A E 

h (^ - Mj) A (E A Mj - A, W M,-) A £ 
(by induction hypothesis, since 

£AM ; AA, W M,-I-A, W ^) 

h (£j M^ A (E A Mj £j) A E 

(since by assumption E A Mj A A;^j Mi h i?j) 
h(jBj ^ Mj )A(M J ^^) 

(by (4)) 

In short, we get f\i(Ei — ► Mi) A E h Mj (for j = l,n), and hence also 
Ai(-E; Mi) h E Ai M * as desired. 

If we allow the (•) fl operator in our statements, (4) can be further reduced 
to: 

(Ma M) h M (M < /i) (5) 

This formula follows by propositional reasoning from (4) (taking Mi = M 
and i?i = Mp) and the fact that M h M^. But (5) also implies (4), once we 
add to our propositional reasoning a fact about the (•) fl operator given by 
Lemma 1: 

Lemma 1 If M and E are safety properties and v is a set of agents, then 
M -r EV- M v E v . 

Proof The proof is a simple chain of implications: 

(M E)AM V h (M E) v A M„ 

h ((M —^E)A M) v (as (-)j, preserves intersections) 
h (as (-)j, is monotone) 

I 

Now to see that (4) follows from (5), suppose that M«/i, E<j2, and calculate: 

(E -> M) A (M -> E) h (E -> M) A (M p -> E p ) (by Lemma 1) 

hM^I (since E < fi) 
h M (by (5)) 
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3.2 Stuttering 



Two behaviors are stuttering equivalent if they differ only as regards the 
presence or absence of steps of the form s s. Formally, define stuttering 
equivalence as the least equivalence relation ~ on behaviors such that: 

usasv ~ usv (6) 

Orienting this equation from left to right we obtain a strongly normalizing 
Church- Rosser reduction system. The normal forms are the behaviors con- 
taining no stuttering steps. Write \a for the normal form of <r; it is the 
shortest behavior stuttering equivalent to a. 

Following [1] we concern ourselves with properties closed under ~. Let S% 
be the collection of safety properties closed under stuttering, and order it 
by inclusion. It turns out that Stf, is again a complete Heyting algebra with 
finite meets and arbitrary joins given set theoretically and the associated 
implication is the restriction of that for Sb. The first part of these assertions 
is obvious; for the second we need to examine the relationship between the 
prefix ordering < on behaviors and stuttering equivalence. 

Lemma 2 Suppose that a' < a ~ r. Then there exists a t' such that 
a' ~ t 1 < t . 

Proof Since a ~ r, r can be obtained from a by a sequence of steps of the 
form (6) or the converse. We prove the result for the case of one such step; 
an evident inductive argument then completes the proof. So first suppose 
that it, t have the forms usasv and usv. Since a' < a = usasv either a' < us 
or us < a' . In the first case we have a' < t and so we can take r' = a'. In 
the second case a 1 must have the form usasv 1 where v ' < v and we can take 
t' = usv'. It remains to consider the situation where <j,t have the forms 
usv and usasv. Since a 1 < usv we have either that a' < u (when we can 
take t' = a') or that a' has the form usv' with v' < v (when we can take 
a' = usasv'). | 

We can now check that if M\ and Mi are in Stf, then so is Mi — ► Mi (where 
— ► is as defined above). It follows that — ► is the intuitionistic implication 
in Stfj. For this, suppose that a ~ r £ M\ Mi- Suppose further that 
o \ n & Mi for some n > 0. Then, by the Lemma, for some t' < r, a | n ~ t' . 
We now have successively that: t' £ M\ (as M\ is ~-closed), t' £ Mi (as 
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t G Mi —> M 2 ), and a |„G M 2 (as M 2 is also ~-closed). Hence, a G Mi —> 
M 2 . 

The relation between Sb and Stb is best explained by the map <*p : Sb Sb 
where <~p{M) is defined to be the least safety property that contains M and 
is closed under stuttering. 

Proposition 2 1. <p(M) = {t \ 3a G M.t ~ a}. 

2. <~p is a monotone closure operation preserving all joins; 
Stb is its partial order of fixed-points. 

Proof 

1. It suffices to show that the right-hand side is a safety property and 
this is immediate from Lemma 2. 

2. Obvious. 

I 

As the lattice-theoretic operations in Stb are the set-theoretic ones, the 
collection of stuttering-closed safety properties that constrain at most fj, is 
closed under non-empty joins and finite meets; and we also know that if M 
is such a property then so is N — ► M, for any N in Stb- For M in Stb, let 
ikf be the least superset of M in Stb which constrains at most fj,. 

Proposition 3 /. .1/ 

2. {-Y is a monotone closure operation that preserves non-empty joins 
and finite meets. 

Proof 

1. It suffices to show that (^(M^) constrains at most fj,. First we have 
that S C C (^(M^). Second, suppose that a G <~p{M ll ),a ^ /i, and 
s G S. Then a ~ some r in M^. So u — —> s ~ r — s G and we 
have that a — —> s G <^(M^). 
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2. Evidently (■) fM is a monotone closure operation. It preserves non-empty 
joins as both ip and (-)^ do. All closure operations preserve the top 
element. For binary meets, we just prove the inclusion 

the other direction being a trivial consequence of monotonicity. So 
suppose that a ~ r in and a ~ 7 in iV^. It is straightforward to 
show, for any M in 54, that if <7 £ then t]<7 £ M^. So we get that 
<7 ~ []<7 £ (Afu fl A^), as = = ^7. But (M^ n A^) = (M n A)^ as 
(•)/" preserves binary intersections, and so we have a £ <f((M fl A)^), 
as required. 

I 

The Composition Principle goes through with stuttering-invariance exactly 
as it did before. We need only note that / is in Stf,, and that meet, join, and 
implication for Stf, are the restrictions of the corresponding Sf, operations. 
All the reductions of the principle to simpler ones also go through exactly 
as before, as they are either propositional or use the expected corresponding 
facts for that M ■ M and M ■ I. ■ M ■ E^—the proof of the 
latter being perfectly analogous to that of Lemma 1. 

4 Intuitionistic Linear Logic 

In this section we develop the intuitionistic linear logic proposed in the 
overview. The study of classical linear logic is postponed to the next section. 

We assume given only a set of states S; there is no notion of agent in this 
calculus. A transition is a pair of states. A process is a prefix-closed set 
of sequences of transitions. (Note that the empty sequence e is allowed.) 
The set of all processes is denoted by V . It is partially ordered by C and 
as such it is a complete semilattice, which is to say that it has least upper 
bounds of all subsets. For two given complete semilattices L and M, we 
write / : L — M, and say that / is linear, meaning that / preserves all 
least upper bounds, that is f(\JX) = V^eX f( x ) f° r a ^ subsets X of L. 
The set L — M of linear functions from L to M itself forms a complete 
semilattice under the so-called pointwise ordering: / < g iff f(x) < g(x) for 
all x in X } 

J It is possible to view V also as the solution to a domain equation, by choosing a cate- 
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Complete semilattices L can be viewed as epos (partial orders with a least 
element and least upper bounds (lubs) of directed sets) endowed with a 
continuous semilattice operation, + , such that x < x + y. (Note that x + y 
must be x V y, the least upper bound in the partial order.) In the work of 
Hennessy and Plotkin [15], this kind of algebra was found to be appropriate 
to the study of lower powerdomains, which are just free algebras of that kind. 
Following ideas in [16], we now define a safety property on such a structure 
as a non-empty Scott-closed subset closed under the semilattice operation. 
Intuitively, a safety property asserts that nothing ever goes wrong, and 
"going wrong" has the following three qualities: 

1. nothing can go wrong with _L, the least element, as _L corresponds to 
nothing happening; 

2. if nothing can go wrong with each element of a directed set X then 
nothing can go wrong with either, as "going wrong" is continuous; 

3. if nothing can go wrong with x or y then nothing can go wrong with 
x + y, as all that can happen with x + y is whatever happens with x 
or whatever happens with y. 

This intuition can be formalized by taking as a way of going wrong a linear 
map / : L — / where / is the two-point complete semilattice, {_L, T}, with 
_L< T. The collection of elements of L where / does not "go wrong" is 
/ _1 (±) and this yields an isomorphism 

s(l) * (l ^ rr 

where we order the collection of safety properties S(L) by subset. Consider- 
ing again our desire to work with elementary means, note that every safety 
property X C L has a largest element, namely m(X) =def V X . 

gory of domains tailored to nondeterminism, in the fashion of [15]. Specifically, working in 
the category of complete semilattices, we find that V is the initial solution to the equation: 

where the lifting operator (-)j_ adds a new least element, and the tensor product is defined 
by a universal property: there is a universal bilinear map L x M L ® M. Thus 

V can be obtained by the methods available in domain theory, and as such it provides 
a kind of resumption useful for the semantics of nonterminating processes. Its simple 
representation as the prefix-closed sets of transition sequences allows us to work with it 
using very elementary mathematical means. 
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Proposition 4 The function m : S{L) L is an isomorphism of partial 
orders. 

Proof The function is clearly monotone. Its inverse is m~ 1 (x) = {y \ y < x} 
which is also monotone. | 

This isomorphism, together with the remarks above, yields an isomorphism 
L op = (L — T) which is part of the well-known self-duality of the category 
of complete semilattices [17]. We say the process p satisfies a safety property 
X , and write p |= X , if and only if p £ X . Under the isomorphism this is 
the case iff p C m(X). 

We will work with V rather than the more complex S{V). First, V is again 
a complete Heyting algebra with the lattice-theoretic operations being the 
set-theoretic ones and the associated implication being 

Mi M 2 = {u | Vra > 0. if u\ n £ M t then u\ n £ M 2 } 

where the prefix u\ n is defined as usual for sequences. The empty set (false- 
hood) is written 0, and the set of all transition sequences (truth) is written 
T. 

If pi and p2 are two processes, their parallel composition is pi \ \p2, where || is 
the language shuffle operator. Conjunction is no longer the logical correlate 
of parallelism, however. If p |= X and q |= Y it is not true in general that 
p || q |= X A Y. Rather, in order to treat parallelism, we define a new 
operator on safety properties by: 

X ® Y = {p || q | p |= X,q |= Y} s 

where (A) s is the least safety property containing A. 

Proposition 5 m(X ® Y) = m(X) \\ m(Y). 

Proof If p |= X and q |= Y then p C m(X), q C m(Y), and so X (x) Y = 
{r\rC m(X) \\ m(Y)}. | 

Working with V in place of S{V) we take ® on V to be ||. Now, ® commutes 
with arbitrary joins in V and gives a commutative monoid, with unit the 
null process, 1 = {e}. In other words, we have: 
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Proposition 6 (V,\J,1,®) is a commutative quantale, where 1 = {e}. 

The associated quantalic implication is then given by 

Mi -o M 2 = {u | ({u} || Mi) C M 2 } 

It follows immediately that the algebra of safety specifications provides a 
model of intuitionistic linear logic [28, 25]. Parallel composition is the mul- 
tiplicative conjunction operation, while A and V are the additives. 

The exponential operator ! is uniquely, but trivially, determined. If 1 C M 
then 1 C!M, and in addition !M C 1, by the general properties of !, so we 
get !M = 1. On the other hand, if 1CM is false, the only possibility is 
M = 0, and !M = 0, as in every model !M C M. 

Instead, a nontrivial (•)* operation is available: M* is defined as \l i>Q M\ 
where M l is the i-fold parallel composition of M with itself, and it represents 
an arbitrary number of M processes running in parallel. 

Composition 

A chained transition sequence (from s to t) is one of the form 

(Si, S 2 ) (s 2 , S3) • • • (s n -2, S n -l) (s n -l,S n ) 

(where s\ = s and s n = t). In particular, the sequences e and (si,s 2 ) 
are chained. Intuitively, chained transition sequences correspond to runs of 
a system by itself, with no interference from the environment. We write 
u ^1 v if u and v have a chained shuffle, beginning with an element of /. 

Assumption-guarantee specifications are made possible by a new ternary 
connective — 0. We first set: 

(M)\ = {u\3v e M. m — / v} 

and then define 

Mi ^/ M 2 = (Mi)} M 2 

The definition says that if a prefix u of a sequence in Mi ^/M 2 has a chained 
shuffle beginning in I with a sequence in Mi, then u is in M 2 . Hence, the 
sequences in Mi — 0/ M 2 cannot be distinguished from sequences in M 2 by 
an Mi environment as regards computations beginning in /. 
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It seems rather unfortunate to have to introduce a ternary connective where, 
furthermore, one of the arguments comes from a set of propositions different 
from the other two. We are missing a principled explanation of this connec- 
tive arising from the nature of processes. In Section 5 we give one account 
of it, relating it to the work using intuitionistic logic. 

We can now formulate a version of the Composition Principle in intuitionistic 
linear logic. 

Theorem 2 (Composition Principle) For n > 0 and i = l,n, suppose 
that Mi,Ei G V, and let I; and I be sets of states. Set M[ = ®j_^Mj. 
Suppose that I C f]I t and E ® M[ h M l -o I{ E t . Then 

(g)(E t ^> It Mi) hE^f&Mi 

i i 

Rather than prove the soundness of this rule directly, we will progressively 
reduce it to simpler principles, and prove the simplest. First, since — 0/ is 
antimonotone in / the principle is equivalent to the case where I{ = I, for 
i = l,n. We now keep / fixed and often omit it, and write, for example, 
E -oM. 

It is straightforward to reduce the principle to the binary case. The unary 
case follows from the binary case by taking M 2 = 1, Ei = E (x) Mi, and 
using the fact that N h M —o N , for all M, N . For n > 2 we proceed by 
induction. The base case is given, so suppose n > 3 and E (x) M[ h M{ Ei 
for i = 1, n. So for i = 2, n we have (E ® Mi)® ®j>2j^; Mj h M; -oEi and, 
by induction hypothesis, we get that ® 8 > 2 (-E ; i -^>M~i) h E ® Mi -^® 4 -> 2 Mi. 
In order to prove ® — o M 8 ) h (_E — o ® 8 - M 8 ) it is now enough to prove 
(Ei^>Mi)®(E®Mi^>M{) h E^>Mi®M[. But this follows from the binary 
case, taking M 2 to be M[ and to be E ® M t , since E ® M{ h M x -o E x 
and iV h M -o iV, for all M, iV. 

More surprisingly, the general case reduces further to the unary case, which 
is: 

Eh Mi ^> Ei 
(Ei -oMi) h (£-oMi) 
Note that this is equivalent simply to: 

(£i -oMi) h (Mx -o^i) -oMi (7) 

using the antimonotonicity of M N in its first argument. 
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The proof that the binary case reduces to the unary case has two parts. The 
first part applies not only to the binary case but also to the general case; it 
consists in reducing the general case to its instance where Ei = E (x) M[: 

M' • Mi A • (g)M 

i i 

In the second part, this instance is derived from the unary case for n = 2: 
(E ® M 2 -o Mi) ® (E ® Mi -o M 2 ) h E -o (M t ® M 2 ) 

For the first part of the proof, assume that E (x) M[ h M; —o E{. The 
antimonotonicity of — o then gives: 

(g)((M t - -o Ei) -o M t ) h E -o (g) M 8 

and (7) gives: 

-o M,-) h (g)((M t - -o Ei) -o M,-) 

The general principle follows by transitivity. 

We need first a little more about the logic of — o for the second part of the 
proof: 

Lemma 3 LetA,B,E£V. Then 

A®(A®E -oj B)\- E -oj A® B 

Proof It is enough to take w in A (x) (A (x) E — 0/ B) and x in E such that 
w x and show that w is in A (x) B. So taking such a w and x, we get first 
that w is a shuffle of an element u of A with an element f of A (x) E —o B. 
Next, u and x must have a shuffle, say, such that v y. But then y is 
in A (x) E and so as v is in A (x) E —Oj B, we get that v is in B. So as w is a 
shuffle of u (in A) with v (in i?) we get w m A(x) B as required. | 

We may now calculate that: 

(E ® M 2 -o Mi) ® (£; ® Mi M 2 ) 

h (£ ® M 2 Mi) ® ((M 2 -o ® Mi) -o M 2 ) 
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(by the unary case) 



h (E® M 2 -^Mi) ® ( ( ( E® M 2 -^Mi) ® £) -^M 2 ) 
(as (E ® M 2 -o Mi) ® £ h M 2 -o E ® M x by Proposition 3) 
h £ -o ((£ ® M 2 -o Mi) ® M 2 ) 

(by Proposition 3) 

h E ~o(E -oMi ® M 2 ) 

(by Proposition 3) 

h £ -o Mi ® M 2 

We are left with the task of proving the unary case. The proof requires an 
induction on the length of transition sequences and it is noteworthy that no 
other truth of the logic we have so far shown (such as Proposition 3) has 
done so. Thus all the induction is, as it were, concentrated into this one 
case. 

Proof We have to show that (E M) h (M E) M for any E 
and M in V . In case M = 0 the result follows immediately as 0 — 0/ E = T. 
Otherwise it is enough to show that if u is in (E-OjM) and v is in (M —OjE) 
and u v then u is in M; we show this by induction on | u \ + | v \. If 
this is 0 then u = e G M . Otherwise let w be a complete shuffle of u and v 
beginning in /. 

There are two cases. In the first, w = w\(s,t), v = v\(s,t), and w\ is a 
complete shuffle of u and v i . As | u \ + | v i | < | u \ + | v \ , we then get u in M 
by the induction hypothesis. In the second case, w = w\(s,t), u = u\(s,t), 
and w\ is a complete shuffle of u\ and v . As | u\ \ + | v \ <\ u \ + | v \ we get 
u\ in M, by induction hypothesis. But as v is in (M — 0/ E) and Mi ^/ f , 
we get v in But then as u is in (E —Oj M) and u v, we get u in M. | 

It also seems possible to obtain variants of the principle that apply to the 
composition of an arbitrary number of like processes that depend on one 
another, in an environment E. For example, we can show: 

(E ® M* -o/M)* 
E ^/ M* 

To see this is true, in Theorem 2 take M t = M, J 8 = /, and E t = E® M n ~ x , 
obtaining that: 

(E ® M n ~ x -o/ M) n V E^iM n 
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for n > 0. But then, since M n 1 h M*, we get: 

(E ® M* -o/ Mf h E^>iM n 

for n > 0, and so, as 1 h M — 0/ 1 and (M — 0/ •) distributes over arbitrary 
non-empty joins (as is easily verified), the required result follows. 

There does not seem to be an analogous rule in the intuitionistic framework 
of the previous section. 

5 Classical Linear Logic 

Once we have a quantale, there is a well-known and straightforward way to 
interpret classical linear logic; we choose an element _L and, setting x 1 - = 
x—o _L, we work with the (•)" L " L_ closed elements [25]. Here we show that by 
an appropriate choice of _L we can also find a Composition Principle within 
the framework of classical linear logic. Abramsky [27] has suggested that 
the choice of _L could depend on a notion of testing, and could be taken to 
be the set of processes that, when run by themselves, can be seen as failing 
(that is, as not passing the test). In this way we would have an internalized 
notion of testing where processes represent tests: a process p would pass a 
test q iff (p || q) ^_L. 

Here we will make this suggestion concrete for safety properties; every test q 
will yield a safety property q—o _L so that p does not pass q iff p is in q—o _L. 
We may think of the safety property yielded by q—o _L as being the failure 
to pass q. Once we restrict attention to the (•)" L " L_ closed subsets, all safety 
properties will be of this kind as then M = M^-o _L holds. 

It is instructive to begin with an external approach to testing and for this we 
provide a semantical analogue to some of the testing ideas of De Nicola and 
Hennessy [10, 14], adapted to the present context of processes and safety 
specifications. Let a, (3 be two distinct entities not in S, and put S' = 
SU{a,/3}. We may think of a and (3 as being starting and stopping states 
for an external test scenario. Let V' be the processes over S'; these will be 
the tests. Clearly notions and results applying to S and V extend to S' and 
V' . For p in V and r in V', we say that p passes r iff there are u in p and v 
in r such that u >~ v , meaning that some prefix u' of u and some prefix v' 
of v have a chained shuffle starting in a and ending in (3. Note the element 
of possibility here: only the existence of such a pair u, v is required; p will 
not pass r iff there is no such possibility. 
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Now we have a natural testing preorder on processes in V: 
P i^v Q iff Vr G V.(p passes r D q passes r) 

In order to characterize this preorder some definitions are needed. Let □ be 
the least preorder on transition sequences over S such that: 

uv □ u 

u(r, s)(s, t)v □ u(r, t)v 
uv □ u(s, s)v 

and, if n > 0 and u = . . .(s n ,t n ) is a transition sequence over S, set 

u* = (a,si)(ii,s 2 ) • • .(^_i,s n )(^,/3), and set e # = (a, (3). 

Proposition 7 1. u ^ u& . 

2. Suppose v □ m w. Then v <— w. 

3. Suppose v ^ . Then v □ u. 

Proof Parts 1 and 2 are easy to prove and we just consider part 3. If 
u = e then (trivially) v □ u. Otherwise u has the form (si, t\) . . . (s n , t n ) 
with n > 0 and since v <— - v must have the form v\ . . .v n v' where, for 
i = l,n, either V{ = e and s 4 - = t{ or Vi is a chained transition sequence 
beginning in s 4 - and ending in t{. In either case Vi □ (s 4 -,/j-) and so f □ u. | 

Theorem 3 p <-p q iff \/u G p.3f G g.w C t>. 

Proof First suppose that p <j> q and u G p. Let r = {w | w < G 7-*'. 
Then as a ^ u*, the Proposition 7, we get that p passes r, and since 
p <j> q so does q. Hence v ^ w for some v in g and some w < . But 
then f u& and so f □ u, by the Proposition. Conversely, suppose that 
Vw G p.3f G q.u C f and that p passes r. Then u <—> w for some u £ p,w £ r; 
taking a v £ q such that u C f , we get j; ^ it) by the Proposition, and so g 
passes r. | 

Note that it follows from the last part of the Proposition that the largest 
process ^-equivalent to a given process p is {u \ 3v G p.u C f }. 
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To internalize, we simply work with V' rather than with V and extend the 
notions above. As before, if u and v are transition sequences over S', u <— v 
means that there are prefixes u' , v' of u, v which have a chained shuffle from 
a to (3. We write p passes r also for p in V', and correspondingly extend the 
testing preorder — the extension is written <-p>. To pass to classical linear 
logic, we take _L to be the safety property of those processes that do not 
contain a chained transition sequence from a to (3 and so indeed we have 
that: 

p does not pass r iff (p \ \ r) C_L 

Under the isomorphism of processes and safety properties, _L becomes 

{w | no prefix of w is a chained transition sequence from a to (3} 

and we get for any safety property (under the isomorphism): 

M L = {u | W G M.^(u ^ v)} 

Note that p does not pass r iff r \ \ p h_L iff r h p 1 , so p 1 - is the largest test 
p does not pass. The internal and external views are linked up as follows: 

Proposition 8 1. For any p,q in V 1 , p <-p> q iff q 1 h p 1 . 
2. The largest process <-pi -equivalent to p is p 11 . 

Proof 

f. Suppose p <-pi q. Then as q does not pass g -1 , neither does p and so 
p || q 1 - h_L. Therefore, q 1 - h p 1 . Conversely, suppose q 1 - h p 1 - and q 
does not pass r, so q \ \ r h_L. Then r h q 1 h p 1 and so p \ \ r h_L. 

2. By the first part, p is ^/-equivalent to q iff p 1 = q 1 . But then p 
and p- 11 - are equivalent (as we always have, for any choice of _L, that 
p 1 - = p- 1 -- 1 -- 1 -), and if p and q are ^/-equivalent then q C q 11 - = p 11 - 
(with q C q- 11 - true for any choice of _l_). 

I 

The next task is to extend the characterization of the testing preorder to 
the whole of V' . We extend □ to a relation which is the least preorder 
on S'-transition sequences such that: 

uv u 
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u(r, s)(s, t)v u(r, t)v 
uv u(s, s)v 
(a, a)u m 

and is denned exactly as before. Note that = (a,a)u(/3, fi) =' u 

(where we take =' to be the equivalence relation induced by □'). 

The analogue of Proposition 7 holds, with replacing □: 

Proof As before, parts 1 and 2 are easy and we concentrate on part 3. 
So suppose that v ^ . The case u = s is trivial and so we can take 
u to have the form (si, ii)(s2> ^2) • • • ( s m tn) (with n > 0). Then u& is 
(a, s\)(ti, S2), (t2, S3) • • • (t n -i, s n )(t n , fi). Some prefixes v',w of v,u& have 
a chained transition sequence from a to (3; we take w and then v' to be as 
short as possible. Then (3 is either the last state in w or the last state in v 1 . 

In the first case (when fi is the last state in w), either w = or w = 
(a, S2) • • • (t m , s m +i) with 0 < m < n and s m +i = fi. In the first of 

these cases v' has the form voV\ . . . v n where vq is e or is a chained tran- 
sition sequence from a to a, and for i = l,n each V{ is e and S{ = t{ or 
Vi is a chained transition sequence from s 4 - to t{. But then we obtain v 
v ' 3' («, o;)(si, /1) . . . (s n , t n ) m. In the second of these cases v' has the 
form V0V1 . . . v m with vq and fi, . . . , v m as before. Then we obtain v f' 
(a,a)(si,ii) . ..(s m ,t m ) (si,^i) . . .(s m ,i m ) (si,^i) . . . (s m , t m )(fi, (i) 
. . .(s m ,i m )(/?,i m+ i) . . .(s n ,t n ) = u. 

In the second case (when (3 is the last state in v'), since we chose first w and 
then v' as short as possible, w has the form (a, S2) • • . (i n ,s n +i) with 

0 < m < n and v' has the form fot>i . . .v m v m+ i with fo and the V{ as before 
(for i = l,m) and with f m +i a chained transition sequence from s m +i to /3. 
But then v (a, a)(si, ^i) . . .(s m ,i m )(s m+ i,/?) m. | 

The symmetry of testers and testees in the relation enables a pleasing 
reformulation of the first three parts of the analogue of Proposition 7: 

Proposition 9 v u iff v . 

Proof If v <— - u then as =' u we get by part 2 of the analogue 

of Proposition 7, and the symmetry of that v . So by part 3, 
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Conversely if v then as 11 ^ 11* by part 1, we get ^ m by 

symmetry and then v <— u by part 2. | 

The analogue of Theorem 3 holds, with the analogous proof: 
P <v ^ iff Vm G p.3v G q.u C' f 

and so the facts, being the maximal ^/-equivalence classes by Proposition 8, 
are exactly the C'-downwards closed sets. It follows that the lattice-theoretic 
operations are the set-theoretic ones. We can rewrite the formula above for 
M 1 (when M is a fact) using Proposition 9: 

Proposition 10 M L = {u\u* M}. 

Proof Taking negations we see that 3v G M.u <—> v iff 3v G M.v u* iff 
u* G M (as M is a fact). | 

The preorder and the map (•)* interact in a natural way: 

=' U 

u v iff V * 

(For the last, note that if u f then u ^ and so m*, by 

Proposition 9). We call any such map on a preorder an involution. The case 
where the preorder is a set, say U, is well known to the relevance logicians 
who instead of quantales considered quasi-fields of subsets of U closed under 
the quasi- complement operation: 

-X = U\g(X) 

If we divide out by the equivalence relation =' we obtain a quasi-field of sets 
(g([u]=i) = [m#]=/) over U = {[«]=/} isomorphic to our lattice of facts. The 
sets in the quasi-field are the subsets of U downwards closed in the partial 
order C' / ='. 

We have already noted that the facts are closed under the set-theoretic op- 
erations and so the additives A, V, T, 0 retain their set theoretic definitions. 
However ® and I must be redefined, and M ®N is now (M \\ N) 11 - and I is 
{e}" 1 " 1 ". At the level of transition-sequences we can make a further connec- 
tion to relevance logic, this time considering i?-frames ([If] p.47). Taking 
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U to be the collection of equivalence classes as above we obtain a structure 
(U, R, [s],g) where -R([w], [v], [w]) iff there are u' C' u, v' C' v, and a shuffle, 
x, of u' and f ' such that w C.' x. This satisfies all the requirements to be an 
i?-frame, except for (the undesired) idempotence. Given any such structure 
(U, R, 0,g) we obtain a quantale (Q, ®, f) for classical linear logic where Q 
is the collection of <-downwards closed subsets of U . We take u < v iff 
R(l , v, u) and A (x) B = {z \ 3x £ A, y £ R.R(x, y, z)}, 1 = {x \ x < 0}, and 
J_= {a; | x < g(0)}- Starting from the (U, R,[e], g) as above we obtain the 
quantale for classical linear logic considered in this paper. 

Composition 

To be consistent with the testing idea of starting computations from a, we 
fix the set / to be {a}, and write M —o N for M — 0/ N. As suggested in 
subsection 2.2, let 

E + = EU {u{s,(3) | u e E, s e S'} 
Note that E + is not a fact in general, even when E is a fact. 

Lemma 4 _Le£ E be a fact. Suppose w £ E and v "—'{a} w - Then £ E + . 

Proof First suppose that v = e. Then is (a, (3) which is in E + as e is 
in E (since w is). Suppose now instead that w = e. Then v is a chained 
transition sequence from a to some state /, and so has the form u(t,(3), 
where u is a sequence of stutters, that is transition pairs of the form (s,s). 
But then: w e m and so m is in and is in E + . 

We may now therefore suppose that neither v nor w are e. There are two 
cases depending on whether the chained shuffle of v and w starts with a 
transition from w, or one from v. In the first case there is a prefix w' of 
w, states so, ... , (with so = a) and to, . . . , t n , and also vo, . . . , v n and 
wo, . . . , w n such that v = v q ■ ■ ■ v n , w' = wq ■ ■ ■ w n , and for i = 0, n, is a 
chained transition sequence from t{ to s 4 -+i, and w 8 - is a chained transition 
sequence from s 4 - to Now has the form (so,^o) M o - • • ( s n 5 tn) u n( s n+i, P) 
where for i = 0, n, U{ is a sequence of stutters. But then 

W w' (s 0 , io)«0 • • • (s n ,tn)Un 

as tc, is a chained transition sequence from s 4 - to and so is in E + . 
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The last case is similar. Here there is a prefix w' of w, states so, • • -,s n +i 
(with so = a) and to, . . . ,t n +\, and also transition sequences vo, . . . , and 
wo, . . .,w n such that v = vq ■ ■ ■ w 1 = wq - ■ ■ w n , and for i = 0, n + 1, 

f 8 - is a chained transition sequence from s 4 - to and for i = 0,n, w 8 - is a 
chained transition sequence from t{ to Now has the form 

(s 0 ,so)-wo(^o,si) • • --w n (^,s n+ i)M n+ i(^ + i,/3) 

where for i = 0, n, is a sequence of stutters. But then 

w w' (s 0 ,s 0 )wo(^o,si) • • -^(^,^+1)^+1 

as Wi is a chained transition sequence from t{ to and so is in 

concluding the proof. | 

We may now obtain: 

Proposition 11 If E and M are facts then 

E ^>M = (E + n M 1 ) 1 

Proof It is fairly straightforward to show that E -o M C (E + n M 1 ) 1 , 
directly from the definitions. Suppose that u G E —o M and that v G 
fl M" 1 ), to prove that it is not the case that u v. If u <— • v then some 
prefix u' of u has a chained shuffle from a to /3 with some prefix f' of f . 
Choose such a m' and f ' with u' as short as possible. 

Since v G E + , f' G -E + and so either f ' G E or f ' = v"(t,(3) for some 
f" G E and some state /. In the first case, v ' G E and so u' G M, using the 
assumption that u G E —oM. But as we also have that u' v and v G M -1 , 
this is a contradiction. 

In the second case, u' and f" have a complete shuffle starting from a, by 
the choice of u' and f'. This again gives us that u' G M , and we have a 
contradiction as before. 

For the converse, assume that u G (E + fl M -1 )- 1 -, that v is a prefix of u, and 
that f ^{a} w for some w G E, to show that f G M. Then f G (E + fl M -1 )" 1 " 
and by Lemma 4, G Now assume for the sake of contradiction 

that v g M. Then ^ G M 1 , by Proposition 10. But now v <— - f " is in 
contradiction with f G (E + fl M -1 )- 1 -. | 

So it is not necessary to redefine — 0 in the classical logic. The direct analogue 
of the Composition Principle for the intuitionistic case holds: 
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Theorem 4 (Composition Principle) For n > 0 and i = l,n let Mi and 

Ei be facts. Set M[ = (g)^- M r Suppose that E ® M- \- Mi -o E t . Then 

(g)(Ei ^> Mi) \- E^>(g)M t 

i i 

where we are taking the classical interpretation of the tensor products. This 
version of the Composition Principle follows directly from the intuitionistic 
one using Proposition 11 and propositional reasoning. Further, the prepo- 
sitional reasoning used in the discussion of the intuitionistic case remains 
valid here, including the analogue of Proposition 3. 



6 Comparisons 

The intuitionistic logic and the linear logic are based on different connec- 
tives, and on different semantic models, yet there is a fairly straightforward 
translation between them. Specifically, we consider the relation between the 
intuitionistic logic without stuttering and the intuitionistic linear logic. Let 
a be a behavior 

So ► Si — ► . . .S n _\ — > s n 

Let t^ia) be the subsequence of (so, s\) . . . {s n -i , s n) such that the transition 
Si) appears in t^a) if and only if a 4 - G fj,; in particular, t^s) = e. The 
runs of an element p of V with identity fj, are the behaviors a such that 
tfi(cr) G P- This yields a map t~ x : V Sh- It has both a left adjoint 3^ and 
a right adjoint V^, where: 

l^M) = {w | Ba.t^a) = w A a G M} 

and 

V At (M) = {w | Vo-.^(ct) = w D a G M} 

These functions are also left inverses to f" 1 , and further, the so-called Frobe- 
nius equality holds: 

3^t- 1 (N)AM) = N AB,(M) 
from which follow two other equalities 

t- 1 (N 1 ^N 2 ) = t- 1 (N 1 )^t- 1 (N 2 ) 
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and 

y^M^t;\N)) = 3,(M)^N 

In fact these last three equalities are equivalent in a rather general context 
where V and Sb are replaced by arbitrary complete Heyting algebras, and 
t~ x is replaced by any morphism of complete Heyting algebras which has a 
left adjoint — it will necessarily have a right adjoint. Joyal and Tierney [18] 
discuss these points further. 

The intuitionistic operations in V can now be shown to be defined in terms 
of those on Sb- 

Mi A M 2 = 3 |U (i~ 1 (Mi) A t~ 1 (M 2 )) 
M t V M 2 = 3^t- 1 (M 1 ) V t- 1 (M 2 j) 

and similarly for 0 and T. These equations follow from the facts that t~ x 
preserves A and V, the discussion of the Frobenius equality, and the fact 
that 3^ is left-inverse to t~ x ; evidently the corresponding equations for V 
also hold. 

The linear operations can also be defined in terms of those on Sb- 

Proposition 12 Let M\,M 2 £ V and suppose that n, v are nonempty, 
disjoint sets of agents whose union is nontrivial (meaning that neither it 
nor its complement is empty). Then 

1. 1 = 3 0 (T) 

2. M 1 (x ) M 2 = 3^ Ul/ (t- 1 (M 1 ) A i; 1 (M 2 )) 

3. .1/, • .1/,. V^i-HMx) t~UM2)) 

Proof We omit the straightforward verification of part 1. 

For part 2, in one direction if w is in the right-hand side, then there is a a 
such that i |U Ui/(< 7 ) = w , ^(°0 £ M\, and t u (cr) G M 2 . But then to is a shuffle 
of t^ia) and t u (cr), and so it is in Mi ® M 2 . In the other direction if w is a 
shuffle of w\ in M\ and w 2 in M 2 , then it is straightforward to construct a 
a such that t^^ia) = w, t^a) = w\, and t u (cr) = w 2 . 
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For part 3, let 7 be any element of V . Then: 

/. • .1/, • M . iff 7 ® Mi h M 2 

iff 3 AlUi ,(^ 1 (i)A^ 1 (M 1 ))hM 2 

iff ^ 1 (i)A^ 1 (M 1 )h^ i/ (M 2 ) 

iff ^ 1 (i)h^ 1 (M 1 )^^ i/ (M 2 ) 

iff 7hV A1 (^ 1 (Mi)^ i/ (M 2 )) 

Now, substituting first M x -o M 2 and then V At (^- 1 (Mi) ^u i ,(M 2 )) for 7, 
the conclusion follows. | 

We will make use of the evident ra-ary generalization below, 

(g)M 8 = 3,(AC( M «)) 

Finally we may consider the ternary connective — o. 
Proposition 13 Let ^ be a nontrivial set of agents. Then: 

1. Mj = 3,(iA(t^M)) 

2. M t M 2 = ^((7 A tp 1 (M 1 j) -+ t-\M 2 )) 
Proof 

f . In one direction, suppose that u £ M\. It follows that there is a v in M 
such that u and v have a complete shuffle w from a state in 7. We can 
then construct a a such that t^cr) = u, tp(a) = v, and t^^a) = w. 
This a witnesses that u £ 3^(7 A (/^M)). Conversely, assuming that 
m £ 3^(7 A {t^ 1 M)), we obtain a a in 7 such that t^a) = u and 
^(t) £ M. But then t^^a) is a complete shuffle of u with /^(ct) in 
M from a state in 7, and so u £ Mj. 

2. Since, by definition, 

Mi .17., .1/, • M 2 

part 2 follows from the second equivalent to the Frobenius condition 
and part 1. 
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The connection between the two logics allows an alternative proof of the 
linear Composition Principle by reduction to the intuitionistic one. To this 
end we will need a (rather ad hoc) version of Lemma 3; we omit the proof. 

Lemma 5 Suppose that s > 0. Suppose N r for r = l,s and N are in V 
and that v r (r = l,s) are mutually disjoint sets of agents. Set v = \J r v r . 
Then: 

Now for the alternative proof of Theorem 2, suppose n > 0, and we are 
given Mi, E{ in V, and sets of states E (i = 1, n) and I. Set M[ = Mj, 
and suppose that I C f]I^ and E (x) M[ h M{ — Oj ; E{. Let m be n mutually 
disjoint nontrivial sets of agents whose union, fj, = \J i m is also nontrivial. 
To apply Theorem 1 we wish to show that for i = l,n: 

t-, 1 (E)A/\t-j(M 1 )Ai^t^(E i ) 

3 

But since, 

E®M[\- Mi ^> h Ei 

it follows that, 

^(tu\E) A A t~]{Mi)) h 3 Pi (tf(Mi) A /,-) - Ei 

and hence by Lemma 5 

^(t-, 1 (E)A/\t;j(M 1 )Ai i )^E t 

3 

and the desired conclusion follows as 3^ is left adjoint to t^K 
Applying Theorem 1 we now obtain 

A(/,- A t^(Ei) - t-*(Mi)) ^lAt-^(E) -+ A^(M,-) 

i i 

But noting that 

t-^Ei^Mi) = (t-tO^At^iEm^t-KMi) 
h (IiAt£(Ei))^t-i(Mi) 
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(since o 3 W > id Sb ) we get 

/\(t-}(E t Mi)) \-lAt?(E) - /\t-}(M t ) 

i i 

and so by Lemma 5 and propositional reasoning 

i i 

and hence 

(g)(E t ^> It Mi) h £^ f (g)M 8 

i i 

as required. 

The intuitionistic logic captures an external view of processes, via their 
behaviors. The notation M < fj, makes it possible to express who is the 
subject of a specification. Linear logic specifications describe a process at 
a time, and hence the notion of "constrains at most" is unnecessary. On 
the other hand, it becomes more difficult to express that one process is the 
complete environment of another, and that the system that they form is 
closed. Such closed systems are essential in the notion of testing, which 
then helps in the analysis of assumption-guarantee specifications. 
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